Legal Alert – Mobile Apps and Privacy – New U.S. Initiatives
Privacy issues related to mobile apps have been at the center of attention of U.S. authorities recently. In January, the Attorney General of the State of California, the state’s chief legal officer whose duties include ensuring that the laws of the state are uniformly and adequately enforced, issued a report that provides recommendations for mobile app developers. On February 1, 2013, the Federal Trade Commission (FTC), the US federal agency in charge of consumer protection and the nations chief privacy watchdog, issued a staff report, recommending ways in which the key mobile app market players can better inform consumers about their privacy practices. On the same day, the FTC also issued a press release stating that Path, Inc., the operator of the social networking app Path, had settled FTC charges relating to the alleged deception of users by collecting personal information from their address books without their knowledge and consent. As the largest app platforms such as Apple’s App Store and Google Play are U.S. based and need to follow U.S. regulation when making apps available for public, these recent developments are highly relevant also for non-U.S. companies that either develop apps or have them developed by a third party.
RECOMMENDATIONS OF THE CALIFORNIA ATTORNEY GENERAL
The report named Privacy on the Go – Recommendations for the Mobile Ecosystem is one of many recent steps taken by the California Attorney General to address mobile privacy. The Recommendations are addressed primarily to app developers, but they also include some guidelines for other market actors. The stated aim of the Recommendations is to assist app developers, and others, in considering privacy at the outset of the design and development process of apps.
Pursuant to the Recommendations, app developers should:
- -Prepare a data checklist at the outset of the development process to review
- the personally identifiable data the app could collect. Such checklist should
- subsequently be used to make decisions on privacy practices;
- -Avoid or limit collecting such personally identifiable data that are not needed
- for the apps basic functionality;
- and that the policy is conspicuously accessible to users;
-Use enhanced measures to comply with the surprise minimization approach
The Recommendations also offer a Decision Path for building privacy into apps.
THE FTC’s STAFF REPORT
The FTC’s staff report also provides federal level recommendations for the major participants in the mobile marketplace. The report emphasizes the importance of ensuring that consumers get timely and easily understandable information relating to the collected data and the purposes for which data are collected.
According to the report, app developers should:
- -Provide just-in-time disclosures and obtain affirmative express consent before
- collecting and sharing sensitive content, such as geo-location information
- (unless already provided and obtained by the platform provider);
- -Improve coordination and communication with ad networks and other third
- party service providers, such as analytics companies, to better understand the
- software they use and as a result be able to provide accurate disclosures to
- -Consider participating in self-regulatory programs, trade associations, and
- industry organizations, which can guide them in preparing uniform,
- short-form privacy disclosures.
Mobile platforms should:
- -Provide just-in-time disclosures and obtain consumers affirmative express
- consent before allowing apps to access sensitive information, such as
- geolocation information;
- -Consider providing just-in-time disclosure and obtaining express affirmative
- consent before collecting other content that consumers may find sensitive,
- such as contacts, photos, calendar entries or audio or video recordings;
- -Consider developing a one-stop dashboard for consumers to review the
- types of content accessed by their apps, and icons that depict the
- transmission of user data.
- -Promote app developer best practices, for example by education and privacy
- disclosure requirements;
- -Consider providing consumers with disclosures about the extent to which
- platforms review apps prior to making them available for download, and
- compliance checks they undertake afterwards;
- -Consider offering a mobile Do Not Track mechanism for smartphone users to
- allow them to prevent tracking by ad networks or other third parties.
- According to the report, advertising networks and other third parties should communicate with app developers to enable the developers to provide truthful disclosures to consumers, and with platforms to ensure effective implementation of the Do Not Track mechanism. Further, app developer trade associations, as well as academics, experts and privacy researchers are encouraged to develop short form disclosures for app developers, promote standardized app developer privacy policies to enable consumers to compare data practices between apps, and to educate app developers on privacy issues.
In conjunction with its staff report, the FTC also released a new business guide, titled Mobile App Developers: Start with Security, which is intended to provide guidance for app developers to address mobile data security.
SETTLEMENT WITH HEAVY FINES FOR THE OPERATOR OF THE SOCIAL NETWORKING APP PATH
Finally, according to the FTC Path violated the Childrens Online Privacy Protection Rule (the COPPA Rule) by collecting information from children under age 13 without providing notice and obtaining parental consent (see also our earlier Legal Alert relating to the FTCs amendments to the COPPA Rule, available at http://bit.ly/WVBnR1.
The settlement requires Path to create a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. Moreover, Path agreed to pay a fine of $800,000 for the alleged COPPA violation and to comply with COPPA.
As is evident, the regulations affecting the mobile marketplace are evolving rapidly. The Recommendations of the California Attorney General and the FTCs Staff Report serve as an indication of the U.S. authorities continuing commitment to monitor the mobile domain, while the Path settlement reflects the FTCs ongoing efforts to ensure that companies live up to their privacy promises.
In light of the above and taking into account the global nature of the mobile app market, app developers, companies for which apps are developed by third parties, platform providers and advertising networks are strongly recommended to review their privacy practices. If you are interested in learning more about mobile privacy regulations or need to review your privacy practices or policies, please contact us at your convenience.